feat: add env-based configuration and token-in-cookie auth
Implement 12-factor configuration via environment variables and token-in-cookie authentication for Gitea API access. - internal/config/config.go: reads GITEA_URL, GITEA_TOKEN, LISTEN_ADDR, SESSION_SECRET from environment with validation - internal/auth/cookie.go: HMAC-signed HTTP-only cookie for storing Gitea API tokens (Secure, SameSite=Strict) - internal/middleware/auth.go: extracts token from cookie, injects into request context, redirects unauthenticated users to /settings - internal/middleware/logging.go: structured JSON request logging - internal/handlers/settings.go: settings page for entering/removing Gitea API token with mobile-first dark UI - cmd/server/main.go: integrated config, auth middleware, and settings Includes unit tests for config loading, cookie signing/verification, and auth middleware bypass/redirect logic. Closes leeworks-agents/gitea-mobile#2 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
agent-company
@@ -0,0 +1,54 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"context"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
|
||||
"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
|
||||
)
|
||||
|
||||
// contextKey is a private type for context keys in this package.
|
||||
type contextKey string
|
||||
|
||||
const (
|
||||
// TokenContextKey is the context key for the Gitea API token.
|
||||
TokenContextKey contextKey = "gitea_token"
|
||||
)
|
||||
|
||||
// TokenFromContext extracts the Gitea API token from the request context.
|
||||
func TokenFromContext(ctx context.Context) string {
|
||||
token, _ := ctx.Value(TokenContextKey).(string)
|
||||
return token
|
||||
}
|
||||
|
||||
// Auth returns middleware that checks for a valid token cookie.
|
||||
// Unauthenticated requests are redirected to the settings page.
|
||||
// The /health, /settings, and /static/ paths are exempt from auth.
|
||||
func Auth(sessionSecret string) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// Skip auth for exempt paths.
|
||||
path := r.URL.Path
|
||||
if path == "/health" || path == "/settings" || hasPrefix(path, "/static/") {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
token, err := auth.GetToken(r, sessionSecret)
|
||||
if err != nil || token == "" {
|
||||
slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
|
||||
http.Redirect(w, r, "/settings", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
|
||||
// Inject token into request context.
|
||||
ctx := context.WithValue(r.Context(), TokenContextKey, token)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func hasPrefix(s, prefix string) bool {
|
||||
return len(s) >= len(prefix) && s[:len(prefix)] == prefix
|
||||
}
|
||||
Reference in New Issue
Block a user